Red Hat Bugzilla – Full Text Bug Listing
|Summary:||cannot run virt-manager as regular user in a VNC session|
|Product:||Red Hat Enterprise Linux 6||Reporter:||Jeff Bastian <jbastian>|
|Component:||libvirt||Assignee:||Cole Robinson <crobinso>|
|Status:||CLOSED ERRATA||QA Contact:||Virtualization Bugs <virt-bugs>|
|Version:||6.0||CC:||berrange, dallan, dyuan, eblake, ikke, lfarkas, myllynen, mzhan, rdassen, rwu, sputhenp, weizhan, whuang, xen-maint, yoyzhang, zpeng|
|Fixed In Version:||libvirt-0.9.10-1.el6||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2012-06-20 02:24:39 EDT||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Jeff Bastian 2010-08-18 12:01:51 EDT
Description of problem: I'm running a VNC session on a remote RHEL 6 Beta system, and if I try to start virt-manager as a regular user, it gives me an error: Unable to open a connection to the libvirt management daemon. Libvirt URI is: qemu:///system Verify that: - The 'libvirtd' daemon has been started libvirtd is running: $ pgrep -l libvirt 7868 libvirtd If I expand the Details section, it shows a Python traceback indicating an authentication problem. Unable to open connection to hypervisor URI 'qemu:///system': authentication failed Traceback (most recent call last): File "/usr/share/virt-manager/virtManager/connection.py", line 992, in _try_open None], flags) File "/usr/lib64/python2.6/site-packages/libvirt.py", line 111, in openAuth if ret is None:raise libvirtError('virConnectOpenAuth() failed') libvirtError: authentication failed Starting virt-manager via sudo works fine. virt-manager should ask for a password if it fails to authenticate instead of giving a misleading error message. Version-Release number of selected component (if applicable): virt-manager-0.8.4-7.el6.noarch libvirt-0.8.1-20.el6.x86_64 polkit-0.96-2.el6.x86_64 ConsoleKit-0.4.1-3.el6.x86_64 How reproducible: every time Steps to Reproduce: 1. as a regular user on a RHEL 6 system: vncserver -geometry 1680x1050 -depth 24 2. from another system: vncviewer -via rhel6-hostname rhel6-hostname:1 3. in the VNC session virt-manager Actual results: virt-manager prints an error asking if libvirtd is running Expected results: virt-manager asks for a password or otherwise starts successfully Additional info: This has also been reported in Fedora bug 579579.
Comment 1 Jeff Bastian 2010-08-18 12:12:08 EDT
polkit is running in my VNC session and trying to start a new agent complains that it's already running: $ ps auxwww | grep polkit gdm 8130 0.0 0.2 242560 7680 ? S Aug02 0:00 /usr/libexec/polkit-gnome-authentication-agent-1 root 8139 0.0 0.1 49856 4252 ? S Aug02 0:00 /usr/libexec/polkit-1/polkitd jbastian 13789 0.0 0.1 224204 5288 pts/0 S 10:34 0:00 /usr/libexec/polkit-gnome-authentication-agent-1 jbastian 16708 0.0 0.0 103152 832 pts/3 S+ 11:04 0:00 grep polkit $ /usr/libexec/polkit-gnome-authentication-agent-1 (polkit-gnome-authentication-agent-1:16752): GLib-GObject-WARNING **: cannot register existing type `_PolkitError' (polkit-gnome-authentication-agent-1:16752): GLib-CRITICAL **: g_once_init_leave: assertion `initialization_value != 0' failed ** (polkit-gnome-authentication-agent-1:16752): WARNING **: Unable to register authentication agent: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for session Cannot register authentication agent: Remote Exception invoking org.freedesktop.PolicyKit1.Authority.RegisterAuthenticationAgent() on /org/freedesktop/PolicyKit1/Authority at name org.freedesktop.PolicyKit1: org.freedesktop.PolicyKit1.Error.Failed: An authentication agent already exists for session
Comment 2 Daniel Berrange 2010-08-18 12:15:39 EDT
> virt-manager should ask for a password if it fails to authenticate instead of > giving a misleading error message. This isn't possible with the architecture of policykit. virt-manager connects to the libvirtd daemon over a UNIX socket and libvirtd then askes policy kit to authenticate the connection. So virt-manager itself is never involved in authenticating, it is all out-of-band via PolicyKit. This sounds like its a problem with PolicyKit within VNC server sessions, possibly because VNC won't start/register any ConsoleKit session.
Comment 3 Jeff Bastian 2010-08-18 13:06:36 EDT
I'm a newbie with polkit so I don't know if I'm opening up security holes, but with a bit of experimentation I was able to create a pkla file that lets me start virt-manager in my VNC session without a password: $ sudo cat /etc/polkit-1/localauthority/50-local.d/jbastian-libvirt.pkla [jbastian libvirt Permissions] Identity=unix-user:jbastian Action=org.libvirt.* ResultAny=yes ResultInactive=yes ResultActive=yes
Comment 4 Jeff Bastian 2010-08-18 13:14:35 EDT
Yeah, this is probably a more generic problem with PolicyKit and VNC rather than virt-manager. I also noticed nm-applet was not running in my VNC session, so I tried starting it and got $ nm-applet ** (nm-applet:21517): WARNING **: <WARN> request_name(): Could not acquire the NetworkManagerUserSettings service. Error: (9) Connection ":1.495" is not allowed to own the service "org.freedesktop.NetworkManagerUserSettings" due to security policies in the configuration file
Comment 5 Jeff Bastian 2010-08-18 13:15:37 EDT
This is interesting: PackageKit also had this problem in VNC sessions and was just updated to allow it, see bug 528511.
Comment 6 Jeff Bastian 2010-08-18 17:04:00 EDT
I looked at the recent patch for PackageKit (see bug 528511) and tried making a similar change for libvirt. I removed my custom /etc/polkit-1/localauthority/50-local.d/jbastian-libvirt.pkla file, then I made the following changes: --- /usr/share/polkit-1/actions/org.libvirt.unix.policy.ORIG 2010-08-11 04:15:04.000000000 -0500 +++ /usr/share/polkit-1/actions/org.libvirt.unix.policy 2010-08-18 15:55:23.529641403 -0500 @@ -34,8 +34,8 @@ <defaults> <!-- Only a program in the active host session can use libvirt in read-write mode for management, and we require user password --> - <allow_any>no</allow_any> - <allow_inactive>no</allow_inactive> + <allow_any>auth_admin</allow_any> + <allow_inactive>auth_admin</allow_inactive> <allow_active>auth_admin_keep</allow_active> </defaults> </action> I restarted polkitd and my VNC session and when I tried to start virt-manager, it asked for the root password! I entered the password and virt-manager started working. Can we make the above change to the libvirt policy?
Comment 7 Jeff Bastian 2010-08-18 17:04:41 EDT
Changing componenet from virt-manager to libvirt.
Comment 8 Daniel Berrange 2010-08-19 03:50:42 EDT
No, that change gives any local user full privileges to libvirtd. Since this is running as root and has the ability to change arbitrary host storage, networking, etc, you have effectively given all local users unauthenticated root access.
Comment 9 Daniel Berrange 2010-08-19 03:56:11 EDT
Opps, no, i misread that. auth_admin is probably safe, provided you're using a secure remote channel (ie VNC + TLS/SSH).
Comment 10 Jeff Bastian 2010-08-19 10:01:15 EDT
Yes, I always tunnel through ssh. Not only is it secure, I find it's easier than poking holes in the firewall to allow VNC traffic through. (And 'vncviewer -via ...' makes the tunneling easier than 'ssh -L ...')
Comment 14 Daniel Berrange 2011-02-10 07:21:59 EST
system-config-keyboard is not an example of good design/practice. It is using the legacy consolehelper code which forces the entire application to run as root, which is deprecated because it is not a secure design pattern. The current recommended architecture is to run a daemon privileged, and the desktop application unprivileged & use policykit for authentication between the two. This is what virt-manager correctly does.
Comment 15 Dave Allan 2011-02-14 23:36:34 EST
Assuming for a minute that the change proposed in comment 6 is correct, is that a libvirt change or a PolicyKit change? I.e., should we change the component?
Comment 16 Jeff Bastian 2011-02-15 08:35:08 EST
I think libvirt is the right component. $ rpm -qf /usr/share/polkit-1/actions/org.libvirt.unix.policy libvirt-0.8.1-27.el6.x86_64
Comment 17 Suzanne Yeghiayan 2011-03-28 17:11:54 EDT
Since RHEL 6.1 External Beta has begun, and this bug remains unresolved, it has been rejected as it is not proposed as an exception or blocker. Red Hat invites you to ask your support representative to propose this request, if appropriate and relevant, in the next release of Red Hat Enterprise Linux.
Comment 18 Levente Farkas 2011-04-20 09:04:20 EDT
the problem was something similar to this for us. one of our user delete the /usr/libexec/polkit-gnome-authentication-agent-1 from the strartup application (or copy from his home form an older rhel/fedora etc). and it was _very_ hard to find the reason. it'd be useful to popup an error message that the policykit agent is not running while it should have to be. and in this case even through vnc it is working _without_ the changes in #6.
Comment 21 Dave Allan 2012-01-09 16:41:05 EST
Cole, what can we do here? Is this really a libvirt problem or is it virt-manager?
Comment 22 Cole Robinson 2012-01-16 22:12:06 EST
Dave, this isn't specific to virt-manager since it's we rely entirely on libvirt and policykit. Though I'm pretty sure this is expected behavior from policykit, it isn't intended to allow entering a root password over something like VNC or SSH -X AIUI. Though it would be helpful if policykit, libvirt, or virt-manager could give a useful error about this limitation rather than the annoyingly opaque 'authentication failed'. But I'm not sure how to do that
Comment 23 Dave Allan 2012-01-16 23:05:16 EST
(In reply to comment #22) > Dave, this isn't specific to virt-manager since it's we rely entirely on > libvirt and policykit. Though I'm pretty sure this is expected behavior from > policykit, it isn't intended to allow entering a root password over something > like VNC or SSH -X AIUI. I just read over the transcript for bug 528511, and I agree with comment 6 and Dan's comment 9 that "auth_admin" is an acceptable fix, and it seems to have passed muster in bug 528511. I've granted devel ack.
Comment 25 Cole Robinson 2012-02-07 12:58:25 EST
Created attachment 560024 [details] Allow polkit auth for SSH and VNC users Also upstream: http://libvirt.org/git/?p=libvirt.git;a=commit;h=756e6ab467a27e8228bfa2704d1c4883355ac666
Comment 28 Huang Wenlong 2012-02-14 03:50:27 EST
Verify this bug with : libvirt-0.9.10-1.el6.x86_64 Steps to Reproduce: 1. as a regular user on a RHEL 6 system: vncserver -geometry 1024x768 -depth 24 2. from another system: vncviewer $rhel6-hostname:1 3. in the VNC session virt-manager --debug 4. virt-manger can start up , vurt-manager ask passwd for root ,after input passwd , it can works well
Comment 30 errata-xmlrpc 2012-06-20 02:24:39 EDT
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. http://rhn.redhat.com/errata/RHSA-2012-0748.html